PineWoodsAI LLC  

Privacy Policy

Effective Date: March 28, 2025

Last Updated: April 2, 2026

PineWoodsAI LLC ("PineWoods", "we", "us" or "our") is committed to respecting the privacy of our users. This Privacy Policy describes how we collect, use, and share Personal Information when you use our websites and services.

This Privacy Policy applies to https://pinewoodsai.com and https://healthsphere.tech (collectively, the “Site”), and our services, including the Relational Intelligence Fabric, Athena Prime, Athena Prime HealthSphere, HealthSphere, and any other offerings that reference this Policy (collectively, the “Services”). Capitalized terms not defined here have the meaning given in our Terms of Service.

Our Services are intended for individuals located in the United States. See Section 8.d for information if you are located outside the United States.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you choose not to share certain Personal Information, we may be unable to provide some features.

1. Categories of Personal Information We Collect and How We Collect It

“Personal Information” means information that identifies an individual alone or when combined with other data.

We collect the following categories:

- Account & Identity Information (e.g., name, address, email address, telephone number, username, hashed/encrypted password)

- User Interaction Information (e.g., user-input text or audio/voice notes, chat history, timestamps, advisor utilization)

- Activity Information (e.g., step count, workout data, VO2 max)

- Biometric, Health, & Psychological Information (e.g., heart rate, HRV, sleep metrics, nutrition, women’s health cycle data, descriptions of goals, fears, and aspirations)

- Productivity & Communication Platform Data (opt-in) (e.g., calendar metadata, email metadata, permitted summaries when you connect platforms such as Google or Slack)

- Live Session Data (if applicable): If you participate in live facilitated sessions, audio or video from those sessions may be processed in real-time for relational and wellness analysis via Zoom RTMS. You will be notified prior to any session in which real-time analysis is active.

- Service, Browser, & Site Access Information (“Clickstream”) (e.g., IP address, device type, browser, access times)

We may derive additional insights (e.g., psychological markers, stress inferences) based on the information you provide.

Sensitive Personal Information  

We collect categories of data that qualify as Sensitive Personal Information under applicable law, including genetic, biometric, health, and psychological data. We process this data only to provide the Services you request (such as Health Graph insights, nervous system regulation support, and personalized wellness exploration). We do not use Sensitive Personal Information for advertising or unrelated profiling. You may request that we limit our use of your Sensitive Personal Information to purposes strictly necessary to provide the Services.

Non-User Relational Data  

When you input information about third parties (e.g., colleagues, family members) to support relational intelligence features, we retain only the relational context you share. We do not create independent user accounts or marketing profiles for those individuals, we do not contact them, and you may request deletion of that relational data at any time.

How we collect it: Primarily when you provide it directly or connect third-party services/devices.

2. Payment Information

When you make a purchase through our Site, the processing of your payment will be performed by a third-party service provider. We do not collect, maintain, or process your payment card information. When making your purchase, you will be transferred seamlessly through our Site to our payment processor’s service for the completion of your payment and subject to our service provider’s privacy policy. For additional information about third-party service providers, please see Section 8.a below (“Third-Party Sites”).

3. How We Use Personal Information

We process your Personal Information to perform our contract with you, operate and improve the Services, comply with legal obligations, and pursue our legitimate business interests as described in this Policy.

Automated Processing, Orchestration, and Inferences  

Our Services use the Relational Intelligence Fabric (RIF) to orchestrate across third-party AI models and generate derived insights (e.g., Health Graph correlations, Health Personality profiles, nervous system patterns, stress inferences). These outputs are exploratory and educational only and do not constitute clinical decisions.

De-Identified, Anonymous, or Aggregate Data  

We may de-identify or aggregate data so it cannot reasonably identify you. Such data may be used for any lawful purpose, including improving our Services and the RIF.

Protection of Personal Information. We maintain reasonable administrative, technical, and physical safeguards to protect the Personal Information we collect and process. These safeguards include TLS 1.2+ encryption, AES-256 data encryption at rest, VPC isolation, multi-factor authentication for administrative access, least-privilege access controls, monitoring and audit logging, and regular secure backups. While these safeguards mitigate the risk of compromise, no system can guarantee absolute security with respect to the protection of Personal Information.

Retention of Personal Information. We retain Personal Information for a reasonable period after we no longer need it for the purpose for which it was collected (or for any subsequent purpose that is compatible with the original purpose), taking into account legal requirements that apply to us as well as our legitimate interests. Our general data retention schedule is as follows:

- Account & Identity Information: retained for as long as your account remains active

- Biometric, Health, & Psychological Information (user input or derived): deleted upon request or closure of your account

- Data from Integration with Devices/Platforms: collection is terminated upon disconnection from third-party service and information is deleted upon closure of your account

- Backup data: retained for 30 – 90 days after deletion

- De-identified / aggregated data: retained indefinitely

When you provide us your email address to receive information about our products and services or our commercial offers, we will retain it until you withdraw your consent by unsubscribing or as described below under “Your Individual Rights.”

4. How We Share Personal Information

We will not sell your Personal Information.

Artificial Intelligence Service Providers and Orchestration  

We use the Relational Intelligence Fabric to orchestrate across third-party AI models, including OpenAI (ChatGPT), Anthropic (Claude), Google (Gemini), and xAI (Grok). We take technical measures to minimize data sent, including routing de-identified or minimized text where feasible. We do not send raw biometric data, genetic data, health records, or other highly sensitive data to these providers when possible. The list of providers may change; current providers are described at pinewoodsai.com/transparency.

Other Parties. We may share your Personal Information for processing by third parties for the purpose it was collected and as described in this Privacy Policy, including as follows:

- With third parties to whom you authorize us to disclose your Personal Information;

- With our trusted service providers (other than the artificial intelligence service providers discussed above) to process Personal Information on our behalf as described above under “How We Use Personal Information”;

- With affiliated entities under common control with us;

- With businesses we partner with to provide services to you or our customers;

- With our auditors, legal advisors, and similar third-party professionals;

- In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business.

Our service providers are required to keep confidential and secure the Personal Information received from us substantially in accordance with this Privacy Policy, and they may not use Personal Information for any other purpose other than for the purpose for which we provided it. When we share your Personal Information with service providers we engage to process data on our behalf, we will ensure those third parties are contractually bound to guarantee the same levels of privacy protection and confidentiality that we follow when handling your Personal Information, and as required under applicable laws.

Our Site may share your Personal Information in accordance with this Policy with the following third-party service providers:

Provider | Function / Purposes of Processing

---|---

Amazon Web Services | Hosting, storage, compute, security logging

Auth0 | User authentication, token issuance

Stripe | Billing, subscription management

Rook | Biometric data aggregation, normalization, syncing

OpenAI (ChatGPT) | Generate coaching responses, natural language processing

Anthropic (Claude) | Generate coaching responses

Google (Gemini) | Generate coaching responses

xAI (Grok) | Generate coaching responses

Google (APIs) | Connection to Google Calendar, Google Drive, and Gmail if enabled by user

PromptLayer | Large language model performance tracking; orchestration diagnostics

Postmark (or SendGrid) | Send system-generated emails, password resets, alerts

Mixpanel | Analyze product usage and improve user experience

Hotjar | User experience analysis

Sentry | Debug errors in production

GitHub | Source code repository

Neo4j | Storage of internal graph models

PostgreSQL (AWS RDS) | Persistent storage of core PWA data

Redis / Valkey | Fast session state; short-term memory

S3 (AWS Buckets) | Long-term archiving and logging

Slack | Team analysis via CohesionLink

Zoom RTMS | Real-time relational analysis

ScoreApp | Lead magnet quiz hosting, scoring, email capture

Calendly | Appointment scheduling, invitee question responses

Gamma | Website hosting and presentations (healthsphere.tech)

In addition, we may share your Personal Information with certain service providers as described in our Cookie Policy. For more information about your rights to decide how we share your Personal Information, please refer to “Your Individual Rights and Choices” below.

We may also share information with third parties when required by law or to otherwise cooperate with law enforcement activity; or when it is necessary to protect our rights or property from fraudulent, abusive, or unlawful activity, to the extent permitted by law.

5. Your Individual Rights and Choices

You may access, verify, update, or correct your Personal Information, or have any of your Personal Information deleted as more fully described below. You may also ask us to change your preferences regarding how we use or disclose your information or let us know that you do not wish to receive any further communication from us.

Access to Specific Information and Data Portability Rights. You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of Personal Information we collected about you.

• The categories of sources for the Personal Information we collected about you.

• Our business or commercial purpose for collecting your Personal Information.

• The categories of third parties with whom we share that Personal Information.

• The specific pieces of Personal Information we collected about you.

• If requested, we will provide you with a copy of your personal information in a machine-readable format.

You may contact us for such information or to opt out of the sharing of your personal information with third parties for marketing purposes at any time by contacting us as described below under “How to Exercise Your Rights”.

Correction Request Rights. You have the right to request that we correct any inaccurate Personal Information that we collected and retained about you, subject to certain exceptions. You may be able to correct certain information yourself by logging in and updating your online profile if our Services provide such functionality. With respect to personal information unavailable for editing within the Services, once we receive and confirm your verifiable consumer request, we will update (and direct our service providers to update) your Personal Information within our records, unless an exception applies. We may deny your correction request if we cannot verify your identity, or if we determine, under the totality of the circumstances that the contested Personal Information in our possession is more likely than not to be accurate.

Deletion Request Rights. You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;

- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;

- Debug products to identify and repair errors that impair existing intended functionality;

- Exercise a right provided for by law;

- Comply with a legal obligation; or

- Make other internal and lawful uses of that information that are compatible with the context in which you provided it and applicable law.

Non-Discrimination. We will not discriminate against you for exercising any of your rights described in this Privacy Policy. Unless otherwise permitted by applicable law, we will not:

- Deny you goods or services;

- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;

- Provide you a different level or quality of goods or services; or

- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

How to Exercise Your Rights.  

To exercise the access, data portability, correction, deletion, and other rights described in this Privacy Policy, please submit a verifiable consumer request to us via email to [email protected].

Only you or a person that you authorize to act on your behalf, as evidenced by registration with the Secretary of State in which you reside, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. The verifiable consumer request must:

- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format.  

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any response we provide will only cover the 12-month period preceding our receipt of your verifiable consumer request. The response we provide will also explain if there are any reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We generally do not charge a fee to respond to your verifiable consumer request. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

6. Cookies & Tracking Activity

Our Site uses cookies to help us to statistically analyze usage of our Services, and to improve and customize our content and other offerings. “Cookies” are small text files that are automatically placed on your computer or other device when you visit a website. The cookies are stored by the internet browser. The browser sends the cookies back to the website on each subsequent visit, allowing the website to recognize your computer or device. This recognition enables the website provider to observe your activity on the website, deliver a personalized, responsive service and improve the website. For more information about how we use Cookies, please refer to our Cookie Policy.

Web Beacons. We may also use other similar technologies on our Site to recognize and track visitors. A web beacon (also known as a “tracking pixel” or “clear GIF”) is a clear graphic image (typically a one-pixel tag) that is delivered through a web browser or HTML e-mail, typically in conjunction with a cookie. Certain email communications you receive from us may contain web beacons. Web beacons allow us, for example, to obtain information such as the IP address of the computer device that downloaded the page on which the web beacon appears, the URL of the page on which the web beacon appears, the time the page containing the web beacon was viewed, the browser type used to view the page and the information in cookies. We may use web beacons for activities such as monitoring the effectiveness of our communications, to understand whether users have come to our Site from an online advertisement displayed on a third-party website, to measure how ads have been viewed and to improve the performance of our Services.

Do Not Track. Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the website you visit indicating that you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to DNT signals. You can use the range of other tools we provide to control data collection and use, as described above. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

We recognize the Global Privacy Control (GPC) signal as a valid opt-out request for residents of California and Connecticut. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the sale or sharing of your Personal Information.

7. Advertising

Retargeting Ads  

From time to time, the Site may engage in marketing efforts with third-party companies, such as Google, Facebook, or Instagram, in order to market the Site. These companies use cookies to serve ads based on someone’s past visits to the Site. This means, after visiting the Site, you may see an ad for our products or services when you use another site or service. However, your Personal Information is not used by any remarketing service other than to present you offers from us. We use the following third-party service providers for remarketing:

- Facebook: Opt-out of Facebook remarketing [here](http://www.facebook.com/help/568137493302217)

- Google: Opt-out of Google remarketing [here](https://support.google.com/ads/answer/2662922)

- Pinterest: Opt-out of Pinterest remarketing [here](https://help.pinterest.com/en/article/personalization-and-data)

- LinkedIn: Opt-out of LinkedIn remarketing [here](https://www.linkedin.com/psettings/advertising-data)

- Instagram: Opt-out of Instagram remarketing [here](https://help.instagram.com/2885653514995517/)

Newsletters  

On the Site, you may subscribe to newsletters and other publications, which may be used for advertising purposes. Newsletters and other communications from us may contain tracking pixels. The pixel is embedded in emails and allows an analysis of the success of online marketing campaigns. Because of these tracking pixels, We may see if and when you open an email and which links within the email you click. Also, this allows us to adapt the content of future newsletters to the interests of the user. This behavior will not be passed on to third parties.

Receiving Promotional Materials.  

We may send you information or materials such as emails or newsletters by e-mail or postal mail when you submit your email or postal mail address via the Services. You may “opt-out” of receiving the e-mails by using the unsubscribe feature included in the e-mails you receive. Also, if you do not want to receive this information or materials, you can send an email with your name, mailing address and email address to [email protected]. When we receive your request, we will take reasonable steps to remove your name from our address lists.

8. Miscellaneous

a. Third-Party Sites. Our Services may include links to other websites that operate independently from PineWoods. Linked websites may have their own privacy policies or notices. If you visit any linked websites, we strongly suggest you review their policies and notices. Any information you provide when you visit a nonaffiliated website is subject to the privacy policies posted on those websites. We are not responsible for the content of any websites that are not affiliated with or owned by PineWoods, any use of those websites, or the privacy practices of those websites. We may also provide social media features within our Services that enable you to share information with your social networks and to interact with us through various social media services. Your use of these features may result in the collection or sharing of information about you, depending on the feature. We encourage you to review the privacy policies or notices and settings on the social media service with which you interact to make sure you understand the information that could be shared by those services. You may elect to not use any social media features included within our Services and/or adjust your personal settings and preferences to protect your privacy.

b. Advertisements Linking to our Site. We may hire other companies to place our banner ads on other website and to perform tracking and reporting activities (“Third-party advertisement servers”). They do not collect personally identifiable information in doing this work for us, and we do not give any of your Personal Information to them. Third-party advertisement servers are subject to their own privacy policies.

c. Applicability to Children. Our Services are not intended for children. We do not knowingly solicit data online from or market online to children under the age of 18. IF YOU ARE UNDER THE AGE OF 18, PLEASE DO NOT SEND US ANY PERSONAL INFORMATION INCLUDING WITHOUT LIMITATION YOUR EMAIL ADDRESS, NAME AND/OR CONTACT INFORMATION.

d. Information for Users Outside the United States. Our Services are operated in the United States and PineWoods is not established in any other country, nor does it target citizens in other countries with respect to the Services. If you are located in another jurisdiction, please be aware that information you provide to us will be transferred to, stored and processed in the United States. By using our Services or providing us with any of your personal information, you consent to this transfer, processing, and storage of your information in the United States, a jurisdiction in which the privacy laws may not be as comprehensive as those in the country where you reside or are a citizen. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. However, no system is completely secure or error-free. We do not, and cannot, guarantee the complete security of your information.

e. Changes to this Policy. We may change this Privacy Policy from time to time at our discretion. We will indicate at the top of the Privacy Policy when it was most recently updated. We will not use your Personal Information in ways that differ materially from this Privacy Statement without prior notice to you, and in no event will we use your Personal Information in ways prohibited by law.

9. Data Security and Breach Notification

We maintain reasonable technical and organizational safeguards to protect your Personal Information. In the event of a security breach involving your Personal Information, we will notify you in accordance with applicable law, including within 60 days of discovery as required under Connecticut law, via email to the address associated with your account.

Contact Us. To exercise any of your rights under this Privacy Policy or for any questions regarding this Policy, we encourage you to contact us by emailing [email protected].